[ https://issues.apache.org/jira/browse/KAFKA-3328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15178633#comment-15178633 ]
ASF GitHub Bot commented on KAFKA-3328: --------------------------------------- GitHub user granthenke opened a pull request: https://github.com/apache/kafka/pull/1006 KAFKA-3328: SimpleAclAuthorizer can lose ACLs with frequent add/remov… …e calls Changes the SimpleAclAuthorizer to: - Always read state from Zookeeper before updating acls - Update local cache when modifying acls You can merge this pull request into a Git repository by running: $ git pull https://github.com/granthenke/kafka simple-authorizer-fix Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/1006.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1006 ---- commit 3483b759e1cf5e5a42ad3206eca41e8e75906b41 Author: Grant Henke <granthe...@gmail.com> Date: 2016-03-03T20:59:03Z KAFKA-3328: SimpleAclAuthorizer can lose ACLs with frequent add/remove calls Changes the SimpleAclAuthorizer to: - Always read state from Zookeeper before updating acls - Update local cache when modifying acls ---- > SimpleAclAuthorizer can lose ACLs with frequent add/remove calls > ---------------------------------------------------------------- > > Key: KAFKA-3328 > URL: https://issues.apache.org/jira/browse/KAFKA-3328 > Project: Kafka > Issue Type: Bug > Reporter: Grant Henke > Assignee: Grant Henke > > Currently when adding or removing an ACL with the SimpleAclAuthorizer the > following high level steps happen: > # read acls from cache > # merge with the changes acls > # update zookeeper > # add a change notification > Then the Authorizers listening for the change notification know to invalidate > their cache and get the latest value. However that takes some time. In the > time between the ACL change and the cache update, a new add or remove request > could be made. This will follow the steps listed above, and if the cache is > not correct all changes from the previous request are lost. > This can be solved on a single node, by updating the cache at the same time > you update zookeeper any time a change is made. However, because there can be > multiple instances of the Authorizer, a request could come to a separate > authorizer and overwrite the Zookeeper state again loosing changes from > earlier requests. > To solve this on multiple instances. The authorizer could always read/write > state from zookeeper (instead of the cache) for add/remove requests and only > leverage the cache for get/authorize requests. Or it could block until all > the live instances have updated their cache. > Below is a log from a failed test in the WIP [pull > request|https://github.com/apache/kafka/pull/1005] for KAFKA-3266 that shows > this behavior: > {noformat} > [2016-03-03 11:09:20,714] DEBUG [KafkaApi-0] adding User:ANONYMOUS has Allow > permission for operations: Describe from hosts: * for Cluster:kafka-cluster > (kafka.server.KafkaApis:52) > [2016-03-03 11:09:20,726] DEBUG updatedAcls: Set(User:ANONYMOUS has Allow > permission for operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,738] DEBUG [KafkaApi-0] adding User:ANONYMOUS has Deny > permission for operations: Describe from hosts: * for Cluster:kafka-cluster > (kafka.server.KafkaApis:52) > [2016-03-03 11:09:20,739] DEBUG updatedAcls: Set(User:ANONYMOUS has Deny > permission for operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,752] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,755] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,762] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,768] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,773] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > [2016-03-03 11:09:20,777] DEBUG Processing ACL change notification for > Cluster:kafka-cluster and Set(User:ANONYMOUS has Deny permission for > operations: Describe from hosts: *) > (kafka.security.auth.SimpleAclAuthorizer:52) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)